Jannah Theme License is not validated, Go to the theme options page to validate the license, You need a single license for each domain name.

FBI shares tactics of notorious hacker collective Scattered Spider

The Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency have issued an advisory regarding the evasive threat actor identified as Scattered Spider, a loosely knit hacker collective now collaborating with the Russian ALPHV/BlackCat ransomware operation .

Scattered Spider, also known as 0ktapus, Starfraud, UNC3944, Scatter Swine, Octo Tempest and Muddled Libra, is adept at social engineering and relies on phishing, multi-factor authentication (MFA) bombing (fatigue Targeted MFA) and SIM card swapping to gain initial network access in large organizations.

The group includes young English-speaking members (as young as 16) with diverse skills who frequent the same hacker forums and Telegram channels.

Some members are also believed to be part of “Comm”, a loosely knit community involved in violence and cyber incidents that has recently received media attention.

Contrary to the general belief that it is a cohesive gang, it is a network of individuals, with different threat actors participating in each attack. This fluid structure makes them difficult to follow.

However, according to Reuters reporters, the FBI knows the identities of at least 12 members of the group but none have yet been charged or arrested.


Scattered Spider attacks have been documented since last summer, when researchers at cybersecurity firm Group-IB published a report on a series of attacks aimed at stealing Okta identity credentials and 2FA codes, which had started in March of the same year.

In December 2022, CrowdStrike presented the threat actor as a financially motivated group targeting telecommunications companies, employing high-level social engineering tactics, defense reversal, and a rich set of software tools.

In January 2023, Crowdstrike discovered that Scattered Spider was using Bring Your Own Vulnerable Driver (BYOVD) methods to evade detection by endpoint Detection and Response (EDR) security products.

Most recently, in September of this year, two high-profile attacks against MGM Casino and Caesars Entertainment were attributed to Scattered Spider, where malicious actors used the BlackCat/ALPHV locker to encrypt systems.

The threat actor’s past activities include attacks on MailChimp, Twilio, DoorDash, and Riot Games.

An October report from Microsoft, which calls them Octo Tempest, says they are one of the most dangerous financial crime groups and are known to use violent threats to achieve their goals.

Octo Tempest Threats Physical Damage to Get Account Logins
source: Microsoft

The researchers’ findings on the group’s variety of attack methods indicate that its members possess knowledge that spans different areas of cybercrime, from social engineering and hacking to SIM swapping, phishing and bypassing connection protections.

Scatter Spider Tactics

The FBI and CISA alert highlights Scattered Spider’s powerful initial access tactics of targeting a company’s employees by posing as IT or support staff and tricking them into providing credentials or even direct network access.

Individual tactics include phone calls, SMS phishing, email phishing, MFA fatigue attacks, and SIM swapping. Domains used for email and SMS phishing misuse the Okta and Zoho ServiceDesk brands combined with the target’s name to make them appear legitimate.

Having gained a foothold on the network, Scattered Spider uses a range of publicly available software tools for reconnaissance and lateral movement, including:

  • Fleetdeck.io: Remote system monitoring and management
  • Level.io: Remote system monitoring and management
  • Mimikatz: Extracting credentials
  • Ngrok: Remote web server access via Internet tunneling
  • Pulsed channel: Remote system monitoring and management
  • Connection to the screen: Managing remote connections of network devices
  • Splashtop: Managing remote connections of network devices
  • Tactical.RMM: Remote system monitoring and management
  • Rear ladder: VPN for secure network communications
  • Team Viewer: Managing remote connections of network devices

Apart from the above legitimate tools used for malicious purposes, Scattered Spider also conducts phishing attacks to install malware such as WarZone RAT, Raccoon Stealer and Vidar Stealer, in order to steal login credentials, cookies and other data useful in the attack on compromised systems.

A new tactic seen in the malware group’s recent attacks is data exfiltration and file encryption using ALPHV/BlackCat ransomware, followed by communication with victims via a messaging app, email or other secure tools to negotiate ransom payment.

Scattered Spider actors affiliated with BlackCat are also known to use the ransomware gang’s data leak site as part of their extortion attempts, where they leak data or post statements, as happened with their attack on Reddit.

Reddit Listed on ALPHV Ransomware Data Leak Site
source: Bleeping Computer

Scattered Spider shows particular interest in valuable assets such as source code repositories, code signing certificates, and credential storage.

Additionally, attackers closely monitor the victim’s Slack channels, Microsoft Teams, and Microsoft Exchange emails for messages containing indications that their activities have been discovered.

“Threat actors frequently participate in incident resolution and response calls and conference calls, which can identify how security teams are tracking them and proactively develop new intrusion pathways in response in defense of victims” – Federal Bureau of Investigation

The agency adds that cybercriminals achieve this “by creating new identities in the environment” who often have fake social media profiles for a false sense of legitimacy.

Proposed mitigations

The FBI and CISA recommend implementing specific mitigation measures to protect against threats imposed by Scattered Spider.

The main recommendations of the opinion propose to:

  1. Use “allowlist” application controls to manage software execution.
  2. Monitor remote access tools and implement phishing-resistant multi-factor authentication (MFA).
  3. Secure and limit the use of Remote Desktop Protocol (RDP) with best practices and MFA.
  4. Maintain offline backups and follow a robust data recovery plan.
  5. Follow NIST standards for strong, less frequently changed passwords.
  6. Keep systems and software regularly updated, focusing on fixing vulnerabilities.
  7. Implement network segmentation to control traffic and prevent the spread of ransomware.
  8. Use network monitoring and endpoint detection and response (EDR) tools to detect abnormal activity.
  9. Improve email security by disabling risky links and encrypting backup data.

Finally, organizations are advised to test and validate their security controls against the MITER ATT&CK techniques described in the advisory.

Gn En bus

Not all news on the site expresses the point of view of the site, but we transmit this news automatically and translate it through programmatic technology on the site and not from a human editor.
Back to top button